W32.Ramnit Virus

[ChaosOrb]

---

Kinsa nakasuway ug successful removal ani?

I'm tempted to do a full reformat and start fresh kaya lang if madala pa ug hilot...please share.


thanks!!

[cloudduster]

Ever since nag gamit ko og MalwareBytes + Microsoft Security Essentials wa jud ko kasuway og PC infection. E try gani ni sila.

[silentnuker]

pwd sad ka mag install ug avast...lightweight, but very effective...instant detection of viruses, worms, trojans.

[Syd_M]

Kinsa nakasuway ug successful removal ani?

I'm tempted to do a full reformat and start fresh kaya lang if madala pa ug hilot...please share.


thanks!!

That's a really dangerous Trojan you have there. If it's in the early stages of infection, tools like Dr. Web CureIt may be able to clean it. Otherwise, a reformat would be the only safe choice. Try giving the instructions here a try. Be sure to post the appropriate scan reports as indicated on the instructions so that we can check to see if your PC is clean. Good luck!

[cat_inthehat]

You can remove it manually by following the below mentioned steps:

1. Open task manager in windows. In the processes section find and STOP Win32:Ramnit-H running processes which will be present by the name “random.exe”. All other Win32:Ramnit-H associated files mentioned below needs to be removed as well.

C:\WINDOWS\System64/32\svchost.exe
C:\WINDOWS\System64/32\spoolsv.exe
%AllUsersProfile%\Application Data\.dll
%AllUsersProfile%\Application Data\.exe

2. All Win32:Ramnit-H associated register entries mentioned below needs to be deleted as well:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run “.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\Trojan Medfos.A and Medfos.B
HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = C:\WINDOWS\Network Diagnostic
HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\ra ndom

[Syd_M]

Actually, I don't recommend you attempt a manual removal unless you really, really know what you are doing. For example, svchost.exe (Service Host) and spoolsv.exe (Printer Spooler Service) are essential system files, and their unwitting removal may result in an unstable system. Many malware try to disguise themselves as those two files, which is why you need to positively identify whether the files in question are the real programs or whether they're malware in disguise before you start doing anything with them. Unless you are capable of running and interpreting diagnostics, I suggest you don't tinker around with the system. Just like how a surgeon doesn't just dive right into surgery without foreknowledge, you need to know what you're dealing with before you attempt any risky procedures on your system. That's why I suggested you post the appropriate scan reports after you finish with the guide I linked -- so that we can check the reports and have a clearer understanding of the problem.

[vi3wts!ck]

nod32 kung naa ka.

[ChaosOrb]

just an update.

The Infection of the virus is at an advance state...I tried installing MalwareBytes...and it detected almost 2000(exe/dll) files infect with this virus/trojan. It kinda affected other workstation on the network since it's stalling internet connection(ever since the infection started) based on observation of users.

So, there is no other option but to start fresh. Reformat and re-install OS and software.

CloneZilla here I come!!!

[Syd_M]

Ouch! This is one of the most virulent Trojans I've ever seen, and it propagates really quickly, too. Given the advanced state of infection you describe, a clean slate seems to be the best option. If you haven't already, you'll also probably want to disconnect the infected machines from the network. Good luck!